Past Issues

BuckleySandler LLP’s InfoBytes Blog monitors and reports on news, legal developments and legislative actions affecting the financial services industry. With a focus on issues ranging from fair lending to consumer financial services regulation and the CFPB, InfoBytes Blog is a comprehensive and timely source for in-house counsel and industry executives to stay abreast of developments affecting their industry.

On October 27, the FCC adopted privacy rules regulating consumers’ use of broadband internet services. As previously covered in InfoBytes, the FCC issued revised proposed privacy rules for broadband internet service providers (ISPs) in early October to provide consumers with “increased choice, transparency and security online.” Like the proposed rules, the adopted rules (i) require ISPs to obtain confirmative consent to use and share sensitive information; and (ii) permit ISPs to share non-sensitive information unless a customer opts-out.

Because the scope of the rules is limited to broadband service providers and other telecommunication carriers, the FTC maintains its authority over the privacy practices of websites and other “edge services.” In support of the newly adopted FCC rules, FTC Chairwoman commented that “[t]he rules will provide robust privacy protections, including protecting sensitive information such as consumers’ social security numbers, precise geolocation data, and content of communications, and requiring reasonable data security practices.”

On September 15, the FTC will host a workshop titled “Putting Disclosures to the Test” to examine the effectiveness of consumer disclosures. Scheduled to take place in Washington, D.C., the full-day event will include an opening session devoted to how consumers process disclosures, and presentations on the following six topic areas: (i) methods and procedures for evaluating the effectiveness of disclosures; (ii) if and when consumers notice, read, or pay attention to disclosures; (iii) if consumers understand the information in disclosures; (iv) the impact of disclosures on consumers’ decisions and behavior; (v) case studies; and (vi) the future of disclosures, with emphasis on how to make them more efficient and effective. In addition to acknowledging the agency’s commitment to ensuring the use of effective, non-deceptive disclosures for advertisement purposes, the FTC highlighted the significance of effective disclosures in the privacy field and noted that it has “long encouraged the development and testing of shorter, clearer, easier-to-use privacy disclosures and consent mechanisms.”

On July 12, the European Union (EU) finalized and adopted the EU-U.S. Privacy Shield for transatlantic data flows. As previously covered in InfoBytes, on October 6, 2015, the Court of Justice of the European Union declared in Shrems v. Data Protection Commissioner “invalid” a decision of the European Commission that the EU-U.S. Safe Harbor Framework provided adequate protection for personal data transferred from the EU to the U.S., thus requiring the EU and the U.S. to develop a new framework for transatlantic data transfers. The recently finalized EU-U.S. privacy shield is based on the following principles: (i) strong obligations on companies handling data, including requiring the Department of Commerce to regularly conduct updates and reviews of participating companies and tightening conditions for the onward transfers of data; (ii) clear safeguards and transparency obligations on U.S. government, assuring that “the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms”; (iii) effective protection of individual rights, including complaint-handling mechanisms and the designation of an Ombudsperson independent from U.S. intelligence services to handle redress possibility in the area of national security for EU citizens; and (iv) annual joint review mechanism to monitor the functioning of the Privacy Shield. On July 12, the Commission simultaneously released a Q&A, a Fact Sheet, the “Adequacy Decision,” which will enter into force immediately after Member States are notified, and Annexes.

On May 11, the Subcommittee on Privacy, Technology and the Law of the Senate Judiciary Committee held a hearing titled “Examining the Proposed FCC Privacy Rules.” Present at the hearing were witnesses FCC Chairman Thomas Wheeler, FCC Commissioner Ajit Pai, FTC Chairwoman Edith Ramirez, and FTC Commissioner Maureen Ohlhausen. The focal point of the hearing was the FCC’s proposed rule (which comes after its Open Internet Order released in February 2015, designed to preserve net neutrality) on broadband internet services, which is, according to proponents of the proposal, intended to ensure that consumers’ personal information is adequately protected when Internet Service Providers (ISP) collect information on consumers using their products. Read more…

On April 13, the Article 29 Working Party (WP29) of the European Union released its assessment of the draft framework for transatlantic data flows: EU-US Privacy Shield, which was announced on February 2. According to the assessment, the WP29 evaluated the Privacy Shield from a commercial as well as a national security perspective. Regarding commercial aspects of the Privacy Shield, the WP29 maintained that “key data protection principles as outlined in European law are not reflected in the draft adequacy decision and the annexes, or have been inadequately substituted by alternative notions.” The WP29 further opined that it “cannot find in the documents constituting the Privacy Shield any reference to the necessity for data controllers to ensure that the data are deleted once the purpose for which they were collected or further processed has become obsolete. Hence, as it seems, the Principles do not impose to the certified organisations [sic] a limit for the period of retention of the data comparable to what is imposed by the data retention limitation principle under EU law.” Regarding onward transfers and national security, the WP29 commented that, because the Privacy Shield will be used to transfer data outside the U.S., it must ensure the same level of protection on all aspects, including national security, and “should not lead to lower or circumvent EU data protection principles.” According to the WP29, as the Privacy Shield is currently drafted, “onward transfers of EU personal data are insufficiently framed, especially regarding their scope, the limitation of their purpose and the guarantees applying to transfers to Agents.” Finally, the WP29 raised doubts about the effectiveness of the Ombudsperson at the U.S. State Department, questioning whether the designated person would be equal in independence to national security oversight bodies in other countries.